San Francisco Railway ‘Never Considered Paying the Ransom’ To Hackers

The agency that operates San Francisco’s municipal railway has all but recovered from a crippling ransomware attack that struck its computer network over Thanksgiving weekend, the agency said.

Hackers had infected the municipal transportation agency’s systems with malicious software that locked employees out of their digital files on Friday. The cybercriminal group demanded a ransom of 100 Bitcoins, or about $73,000, for the agency to regain access.

When the attackers did not receive the payment, they additionally threatened to dump 30 gigabytes of the agency’s employee and customer data that they claimed to have stolen. That ultimatum appears, however, to have been a bogus scare tactic to extort its prospective victim.

Paul Rose, a spokesman for the San Francisco Municipal Transportation Agency, emailed Fortune on Monday evening to say that the agency had called the attackers’ bluff. “Based on the information we have, and in conference with DHS,” he said, referring to the Department of Homeland Security, with whom the agency is cooperating in an ongoing investigation, “we believe they do not have access to critical data files.”

Further, Rose added, the agency “never considered paying the ransom.” Instead, the agency restored the majority of its roughly 900 affected office computers through data backups. (Previous reports suggested that the malware had impacted more than 2,000 of the agency’s computers.)

“Existing backup systems allowed us to get most affected computers up and running this morning,” Kristen Holland, another agency spokeswoman, said in a blog post on Monday evening. She said the agency’s IT team expects that the rest will be restored “in the next day or two.”

For more on ransomware, watch:

“Muni operations and safety were not affected. Our customer payment systems were not hacked,” Holland wrote, noting that the attack had affected access to email and, vaguely, “various systems.” Station ticketing kiosks had been unplugged as a “precaution” between Friday and Sunday morning, she said.

“No data was accessed from any of our servers,” she added.

In a surprising turn of events (and, perhaps, a bit of satisfying poetic justice), two reports soon surfaced suggesting that the ransomware peddlers themselves had been hacked over the weekend. Anonymous security researchers contacted two reporters with evidence reportedly stolen from the attackers.

The first story, by Brian Krebs, an independent cybersecurity researcher, reported that that the attackers appeared to have exploited vulnerabilities in unpatched Oracle software to gain entry to the agency’s computer network. Previous targets by the San Francisco railway hacker appeared to include a number of U.S.-based construction and manufacturing firms.

Krebs also hypothesized, based on the provenance of Internet addresses used to administer a computer server associated with the attacks as well as some language analysis, that the attackers may be based in Iran.

Shortly thereafter, Thomas Fox-Brewster, a security reporter at Forbes, reported having made contact with another person who allegedly hacked the same email account implicated in the attack. Adding up the value of Bitcoins stored in Bitcoin addresses linked to the hackers’ accounts, he estimated that the operation had raked in “well above $100,000 in less than four months.”

The source also disputed the idea that people responsible for the hacking were in Iran, but that person provided no evidence or reasoning to support the claim.

Chinese Firm Recalls Up to 10,000 Webcams After Friday’s Major Hack

Up to 10,000 webcams will be recalled in the aftermath of a cyber attack that blocked access last week to some of the world’s biggest websites, Chinese manufacturer Hangzhou Xiongmai Technology told Reuters on Tuesday.

In Washington, a member of the U.S. Senate Intelligence committee asked three federal agencies what steps the government can take to prevent cyber criminals from compromising electronic devices.

In a new type of attack last Friday, hackers harnessed hundreds of thousands of webcams and other connected devices globally to flood U.S.-based internet infrastructure provider Dyn with so much traffic that it could not cope, cutting access to websites including PayPalpypl, Spotify, and Twitter twtr.

Hangzhou Xiongmai said it would recall some surveillance cameras sold in the United States after researchers identified they had been targeted in the attack.

Liu Yuexin, Xiongmai’s marketing director, estimated the number of vulnerable devices at fewer than 10,000 to be recalled. He said the company would recall the first few batches of surveillance cameras made in 2014 that monitor rooms or shops for personal, rather than industrial, use.

The U.S. Department of Homeland Security (DHS) said it had discussed the attacks with 18 major communications service providers and was working to develop a new set of “strategic principles” for securing internet-connected devices.

Authorities have yet to identify suspects in the attack, but the Director of U.S. National Intelligence, James Clapper, said on Tuesday that an early analysis did not point to a foreign government.

Cyber intelligence firm Flashpoint concurred.

“The evidence that we have strongly suggests it is amateur, attention-motivated hackers,” said Allison Nixon, Flashpoint’s director of security research.

Nixon said the same infrastructure was used on Friday in an unsuccessful attempt to disrupt internet access to a major video game manufacturer, which she declined to identify.

“Nation states generally don’t attack gaming companies,” she said.

U.S. Senate intelligence committee member Senator Mark Warner, a Democrat, sent letters on Tuesday asking DHS, the Federal Communications Commission (FCC) and Federal Trade Commission if they have adequate tools for combating the threat posed by “bot net” armies of infected electronic devices.

“Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support,” Warner said.

Why A Chinese Firm Is Issuing a Recall After Friday’s Cyberattack

Chinese firm Hangzhou Xiongmai Technology said it will recall some of its products sold in the United States after it was identified by security researchers as having made parts for devices that were targeted in a major hacking attack on Friday.

Hackers unleashed a complex attack on the Internet through common devices like webcams and digital recorders, and cut access to some of the world’s best known websites in a stunning breach of global Internet stability.

The electronics components firm, which makes parts for surveillance cameras, said in a statement on its official microblog that it would recall some of its earlier products sold in the United States, strengthen password functions, and send users a patch for products made before April last year.

It said the biggest issue was users not changing default passwords, adding that, overall, its products were well protected from cyber security breaches. It said reports that its products made up the bulk of those targeted in the attack were false.

“Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too,” the company statement said.

Friday’s cyber attack alarmed security experts because it represented a new type of threat rooted in the proliferation of simple digital devices such as webcams. These often lack proper security, and hackers found a way to harness millions of them to flood a target with so much traffic that it couldn’t cope.

The main products Xiongmai is to recall are all webcam models, it said.

Yesterday’s Internet Takedown Was Powered by Chinese-made Webcams and DVRs

Yesterday, a large-scale attack on internet infrastructure disrupted Twitter, Paypal, Amazon Web Services, and dozens of other sites, most apparently linked to the domain name service Dyn. Now, security researchers say they’ve identified at least one culprit in the attack—a massive network of hijacked Internet of Things devices, including connected cameras and digital recorders, martialed to send the gargantuan waves of domain requests that overwhelmed directory servers.

Remarkably, according to Flashpoint security research head Allison Nixon, most of the components involved were made by one company, China’s XiongMai Technologies. Those components, which are used in a variety of devices under other brands, include hard-coded factory-default passwords, which cannot be reset by users easily, if at all, making it simple for hackers to gain control of them en masse.

The software used to control these devices—which almost certainly number into the millions—is a malware package known as Mirai (the Japanese word for “future”). The source code for that software was made public by its anonymous creator earlier this month, meaning that any of a huge number of malicious hackers could have been responsible for yesterday’s attack.

For more on cybersecurity, watch our video.

According to security researcher Bruce Schneier, the attacks are likely unrelated to the escalating series of coordinated DDoS attacks we reported on earlier this month. But they are linked to a record-setting assault on the website of Krebs on Security, confirmed to be caused by a Mirai botnet.

This attack, then, is the realization of worst-case-scenario warnings from security experts about the risk posed by the Internet of Things. And there seem to be few options for prevent a repeat performance.

How Hackers Could Cause a Presidential Election ‘Virtual Hanging Chad’

The hanging chad from the 2000 Presidential election could be making a comeback—in virtual form.

At the Black Hat USA 2016 hacking conference in Las Vegas that ended on Aug. 4, security firm Tripwire surveyed more than 220 information security professionals to determine whether they believed hackers could influence the outcome of the Presidential election. Nearly two-thirds of those respondents—63%, to be exact—answered with a simple “yes.” Nearly 20% of respondents, however, believe any state-sponsored attacks that could affect this year’s elections shouldn’t be considered acts of cyber war.

Regardless, Tripwire’s senior director of security research and development Lamar Bailey said that hackers will inevitably attack the U.S. on election day, but they likely won’t be able to coordinate massive hacks. Instead, the security firm argues, hackers might try to target swing states and even counties within those states that might be easier targets to create disruption on election day.

“This is not something that can be done in a few days or weeks, if an organization is going to be successful in this style of attack they must be well funded and have started work months ago,” Bailey said. “It is much more likely that many small attacks will happen in an attempt to discredit the results from various states or counties within states. It could be like the 2000 election but with a virtual hanging chad.”

Bailey is referring to the infamous Florida recount in 2000 that caused a delay in determining the victor between George W. Bush and Al Gore. Chief among the concerns during the period were so-called “hanging chads,” or partially punched holes. There was nearly nightly debate during the period over whether the hanging chads should represent a vote or not, and to what degree they needed to be punched in order to show a desire to vote for the respective candidate.

Now, though, voting machines have become more sophisticated and some, like Tripwire and those at Black Hat USA, a hacker conference, suggest they could come under fire.

However, there is some debate over just how much damage hackers could or even would do.

Earlier this week, for instance, Fortune writer Jeff John Roberts threw cold water on the notion hackers could affect the election. He noted, among other things, that few American citizens actually use voting machines and most actually use paper ballots or mail-in votes. In addition, several states have a paper trail they can audit in the event something goes awry and most voting machines are so old, it could be impossible to hack them.

“Thanks to America’s decentralized voting process, the possibility of hackers wresting control of the election is basically nil,” he wrote. “Instead, the real concerns to the voting process are familiar ones like voter registration lists, ballot stuffing, or tampering with mail-in ballots. In other words, on Election Day, be more worried about the local party boss than the Kremlin.”

The Internet Law Resource Centeragrees with Roberts, saying in its own piece on the matter that a widespread hack of U.S. voting machines is “highly unlikely.”

For more about hackers, watch:

So, expect the debate to continue up until Election Day when Republican Donald Trump and Democrat Hillary Clinton square off in their race to the White House.

Here’s How Much Your Social Security Number Is Worth on the Dark Web

If you’ve ever wondered how much your Social Security number is worth, here’s a hint: About as much as your password to a pornographic site.

Account-monitoring company LogDog on Wednesday published its findings on how much personal information is being sold for on the Dark Web, places on the Internet where the vast majority of users don’t go, and where everything from drugs and illegal pornography to stolen credit cards are bought and sold. The company found that buyers are currently willing to pay just $1 for a Social Security number, which is the same amount they’ll pay for user and password information to Brazzers, a pornographic website. Access to someone’s PayPalPYPL account is the most valuable asset at up to $80, depending on the available balance.

People often access the Dark Web, or underground Internet as it’s also known, using anonymizing technology like Tor to obfuscate their IP address and conceal their locations from law enforcement. While using anonymizing technology is no guarantee for staying anonymous, it does make the search by law enforcement exceedingly difficult.

Once accessed, the Dark Web presents a host of opportunities for hackers and thieves. Indeed, there are a number of sites where people can buy drugs or guns, among other things. For hackers who have obtained data, the Dark Web has also become a place to sell account login information. Often, they use Bitcoin, an encrypted currency that shrouds its owner’s identification, to make transactions.

According to LogDog, online accounts have become a “hot commodity” on the underground web, but not always for the same reason. Uber accounts, for instance, are perfect for those who may want to take free rides and don’t want to pay much to do it—each account costs between $1 and $2. NetflixNFLX accounts, which also range in price from $1 to $2, are ideal for video-streamers. While obtaining Social Security numbers are useful for stealing identities, it appears they aren’t all that desirable to would-be fraudsters.

So, what is actually appealing? According to LogDog’s data, dating sites can fetch a bundle, with single accounts on eHarmony going for $10.

Still, it’s all about cash.

For more about the Dark Web, watch:

“This trend has gotten to a point where there are now stores completely dedicated to selling only online accounts, without even offering credit cards for sale,” LogDog wrote in a statement. “Fraudsters, it appears, have discovered the financial potential in targeting various online services instead of just banks and credit card issuers, which has led to this shift in the proliferation of underground online account stores.”

Here’s What the SEC Says Is the Financial System’s Biggest Threat

The worldwide financial system faces many threats, but there is one in particular that has Securities and Exchange Commission (SEC) chair Mary Jo White especially concerned.

Speaking at the Reuters Financial Regulation Summit on Tuesday, White said that the biggest threat facing financial systems both in the U.S. and abroad is cybersecurity. She noted that while major stock exchanges and clearing houses, among other financial entities, tend to be aware of the risks they face, they generally have “policies and procedures (that) are not tailored to their particular risks,” White said, according to Reuters.

But White wasn’t done sounding the alarm. She said that her agency is actively working with brokers and other members of the financial world to address issues, but “we can’t do enough in this sector.” Ultimately, the investment banks and other segments of the market must move forward with cybersecurity in mind or face the possibility of massive issues, she argued.

Indeed, the financial system has been targeted quite often over the last several years, and there are no signs of hackers slowing down.

Earlier this month, the Bank of Greece was hacked for “a few minutes.” While the hackers, who claimed to be members of the hacking collective Anonymous, didn’t appear to steal any information, it was part of a broader, 30-day campaign Anonymous has launched against banks around the world. In a video posted to YouTube, members of the collective said that it would launch attacks on “central bank sites across the world” as part of an extension of Operation Icarus, a campaign the group previously launched against Wall Street.

“This is a call to arms, brothers, who for too long have stood for nothing but have criticized everything,” Anonymous says in the video. “Stand now, behind the banner of free men against the tyrannical matrix of institutions that oppose us. Take your weapons and aim them at the Global Banking Cartel. This is the operation to end all others. In the beginning, some people may stand to lose something from this, but the powers that be stand to lose much more. Bring the rain, brothers!”

In February, a report surfaced, saying that Russian hackers were able to use a virus to attack Russia-based Energobank in February 2015. The effort helped the hackers briefly alter the value of the ruble against the dollar. The hackers were then able to buy more than $500 million “at non-market rates,” but ultimately didn’t sell the currency, according to the report. Instead, the hack was viewed as a proof-of-concept—a sign of potentially more trouble to come.

So, the threat to the financial system is real. If Smith’s public comments on the matter say anything, it’s that banks, financial institutions, and just about every other company that might handle money better watch out. The hackers are coming—and they are good at what they do.

North Korea Denies Cyber Attacks on South Korea Officials

North Korea on Sunday denied that it conducted cyber attacks against officials from rival South Korea, calling the South’s accusation that it did so a “fabrication”.

South Korea’s spy agency told lawmakers on Friday that North Korea had recently stepped up cyber attack efforts against the South and succeeded in hacking the mobile phones of 40 national security officials, according to members of parliament who received a closed-door briefing.

“The South is claiming the North’s cyber attack and using it for its own political purpose,” an opinion piece in the Rodong Sinmun, the official daily newspaper of the North’s ruling party, said on Sunday.

It accused the South of making the cyber attack claim in order to justify a controversial new “anti-terrorism” law.

“There is nothing to expect but the sound of eating corpses from a crow’s mouth. However, we cannot just overlook the South’s abrupt, provocative, and heinous accusations against its neighbor,” the article said.

For more on North Korea:

Earlier in the week, South Korea’s National Intelligence Service also said North Korea had tried to hack into email accounts of South Korean railway workers in an attempt to attack the transport system’s control system, although it said had interrupted the hacking attempt against the railway workers and closed off their email accounts.

South Korea has been on heightened alert against the threat of cyber attacks by North Korea after it conducted a nuclear test in January and a long-range rocket launch last month, triggering new U.N. sanctions.

Tensions are also heightened on the Korean peninsula as South Korea and the United States conduct annual joint military exercises that the South says are the largest ever and on Sunday included the arrival in South Korea of the nuclear-powered aircraft carrier USS John C Stennis.

North Korea has denounced the exercises as “nuclear war moves” and threatened to respond with an all-out offensive.

The North denied South Korea’s previous accusation that it conducted cyber attacks against the South’s nuclear operator.

The United States accused North Korea of a cyber attack against Sony Pictures in 2014 that led to the studio cancelling the release of a comedy based on the fictional assassination of the country’s leader, Kim Jong Un.

Look Out! Hacker Attacks Are Soaring

Hackers are on the prowl, and there are no signs that their hunting is slowing down.

In its latest State of the Internet report, Akamai Technologies AKAM, which helps companies serve their sites and digital content to the public, says that the number denial of service attacks against company websites and services in the fourth quarter rose 40% compared to the previous quarter. Such attacks, which involve hackers using thousands of computers to overload websites, rose a whopping 149% compared to the fourth quarter of 2014.

Meanwhile, hacker attacks against corporate Internet-based software grew 28% compared to the third quarter, the company found.

Akamai’s findings are based on attacks on its own customers, which include a number of major companies. Akamai didn’t say how many of its customers were targeted, but it did say that it “mitigated” 3,600 denial of service attacks in the fourth quarter, alone.

The State of the Internet Report provides detailed information about the threats companies face in a world in which hacking is a perpetual threat. The report details not only how many attacks its customers faced, but also from where they originated and the methods the hackers used.

In July, for instance, New York Magazine’s web site succumbed to an attack by the hacking group, Vikingdom, which said it chose its target because it doesn’t like New York City. In December, hackers threatened gaming networks Xbox Live and the PlayStation Network by saying that they would use denial of service attacks to stop users from playing games online. Those attacks never materialized to the degree the hackers, Phantom Squad, had hoped. Still, the threat was part of a broader trend affecting many U.S. companies.

According to Akamai, 54% of all denial of service attacks in the fourth quarter targeted gaming companies. Another 23% of those attacks took aim at the software and technology industry. Akamai said that attacks on software were predominantly used against the retail industry. Retail companies accounted for nearly 59% of that kind of attack. Akamai didn’t say why retail was such a prominent target, but as recent hacks on major retailers have shown, stealing credit card information could have been a focus.

“The threat from DDoS and web application attacks isn’t going away,” Stuart Scholly, a senior vice president and general manager for Akamai said in a statement, using the acronym for denial of service attacks. “Each quarter, the number of attacks against Akamai customers continues to surge.”

He added: “And malicious actors aren’t backing down. They’re hammering away at the same targets over and over again, looking for a moment when defenses may be down.”

Looking ahead, however, at least Google GOOG hopes to turn the tide. Last week, the tech giant unveiled Project Shield, a service that helps stop hackers who want to use denial of service to take down websites.

The idea, currently being tested with human-rights sites, makes Google the site’s web host. When a denial of service attack is recognized, Google’s own internal infrastructure would kick in and blunt the attack before it takes down a site. It’s unknown if any organizations have taken Google up on its offer or how successful Project Shield would be in fighting off a sophisticated attack.

The IRS Just Admitted It Was Hacked 5 Times Worse Than It Thought

In an announcement Friday, the IRS said that it now believes 724,000 taxpayers’ information was stolen in a cyber attack last year, more than double the amount it said was exposed last summer. It’s the second time the IRS has raised its estimate of victims in the hack, which was first discovered last May.

The IRS originally said hackers had accessed 114,000 people’s personal information by downloading their tax returns through a “get transcript” feature on the agency’s website that has since been disabled. But in August, the IRS tripled its count, saying it believed 334,000 people’s information had been breached in the attack. That’s not even including taxpayers whose accounts the IRS said hackers targeted unsuccessfully.

In the meantime, the IRS has again fallen prey to hackers in a separate scheme. Earlier this month, identity thieves accessed information that would allow them to file for fraudulent tax refunds using names of more than 100,000 people whose social security numbers they had previously stolen—but the IRS said that no personal information was stolen from its systems in the breach.

The IRS did not say whether it was still in the process of counting people who were affected by the May cyber attack, or if it was possible that the total number of victims could increase further. But at this rate, the odds that taxpayers’ information was stolen just keep going up.